A cellular or trunked communication system is one in which mobile or portable user terminals, such as mobile telephones or portable or vehicle mounted radios, herein collectively referred to as ‘mobile stations’ or ‘MSs’, can communicate via a system infrastructure which generally includes one or more fixed base stations (base transceiver stations) and other routing and control installations. Each base station has one or more transceivers which serve MSs in a given region or area known as a ‘cell’ or ‘site’ by radio communication. The cells of neighbouring base stations are often overlapping.
A mobile communication system providing wide area coverage may be considered as being formed of a plurality of interlinked networks. Each network includes an infrastructure comprising in its simplest form at least a router (or zone controller or switch) which routes communications to and from the network and within the network, one or more base stations and an authentication processor which authenticates and registers MSs for use in the network. The networks may communicate by various known means such as radio or microwave communication, hard wired electrical or optical communication, and the internet.
It is usual for a MS of a particular user registered with a mobile system operator to have a ‘home’ network which normally provides a communication service to the user. If the user moves to another region not covered by the home network, e.g. to a foreign country, it is still possible for the user to receive a service from the local network. An authentication process between the user's home network and the ‘visited’ network needs to be completed satisfactorily before the service from the visited network proceeds.
One particular type of mobile communication system widely used in Europe and elsewhere to support communications within organisations such as public safety services and enterprises is a TETRA system. Such a system is one designed to operate in accordance with the TETRA (Terrestrial Trunked Radio) standard procedures or ‘protocol’ defined by the European Telecommunication Standards Institute (ETSI). In order to provide authentication as part of registration of a particular user's MS in a home TETRA network, an authentication key ‘K’ is used. This is programmed into the MS at a secure location such as the manufacturer's factory and is stored in a memory of the MS. A copy of ‘K’ is stored in a memory of the home network infrastructure associated with the infrastructure's authentication processor. The authentication processor will also hold information relating to the identity of MSs registered to operate in the network, including the identity of a particular MS holding a particular key K.
With respect to operation in a TETRA system, when a user visits a geographical region other that in which the home network of the user's MS is located and service is possible from a visited network, i.e. a local network which can in general be any network other than the home network of the user's MS, the visited network will need to authenticate the visiting MS to ensure it is genuine, before providing access to network services. Similarly, the MS will also authenticate the visited network to ensure the network can be trusted. The visited network is able to perform authentication with the visiting MS because the home network supplies session authentication information or ‘SAI’ to the visited network. The SAI includes a random seed (RS) and authentication session keys (KS and KS′). KS and KS′ are derived by the authentication processor of the home network from K for the particular MS and RS. The MS is able to generate the same SAI (consisting of RS, KS and KS′) using its stored K and the RS supplied to it from the home network. The derived key KS is for use by the authentication processor of the visited network to authenticate the MS and the derived key KS′ is for use by the MS to authenticate the visited network. If authentication is successful, then trust is established between the MS and the visited network and communication between the two can proceed.
There is a problem with this known procedure in that the issued SAI is not limited in time. Once the visited network has possession of the SAI, the visited network may authenticate successfully with the MS ad infinitum, or at least until the MS's authentication key K changes; the latter would invalidate all previously generated SAI. If a visited network were to become non-trusted in the future, or if the information supplied to the visited network were to become compromised, e.g. known to a would-be fraudulent operator, the authentication process would still work in a situation when it clearly should not. Adversaries that have possession of the SAI would be able to set up spoof base stations that appear to the MS as part of the home network, and similarly would-be fraudulent operators would be able to set up a spoof MS.
If only one MS were to have its SAI compromised then the simplest approach to deal with the problem would be to provision a new K into the MS and the home network. However, if the compromise of SAI occurred on a large scale, e.g. someone hacked into a visited network containing SAI for thousands of MS, it would be prohibitive in terms of cost to recall thousands of MS to be provisioned with new K, not to mention the loss of the authentication service, particularly on the home network, and the lost service and revenues by the operator associated with that.
Current commercial cellular communication systems involve the use of one-way authentication only (i.e. authentication of the MS), since the main security threat is fraudulent use of network services by rogue MS(s). These networks provide in one inter-system transaction a random challenge, expected response and cipher key, from the home network to the visited network. The visited network therefore has all the information required to perform the one-way authentication with the MS, without involving the home network any further. Unfortunately, this methodology is not practical in TETRA systems owing to the fact that mutual authentication (i.e. two-way authentication) requires the MS to provide a random challenge part-way through the air interface protocol exchange, and therefore it is preferred for the home network to supply the visited network with SAI that is required to allow the visited network to perform all aspects of the mutual authentication in real time. In consequence, there is no TETRA system currently commercially available which supports mutual authentication over an inter-network interface. Therefore, the problem of how to deal with a large scale compromise of SAI held by a visited network has therefore not been dealt with thus far.